I have the following requirement:
create a user on AD B2C.
using the credentials of that user, I need to get access token and refresh token to access an existing api(REST SERVICE).
Active directory here is Azure AD.
I am new in oAuth and Azure. Please suggest me the steps and configuration to achieve this. (I do not want any user interaction to get access token and refresh token).
creating a user is clear to me. but if it requires any specific type of user or any required permissions, please suggest those.
To me, it sounds like your use case can be better realized with a service principal. If you don't need a user context but, consider using an SP instead. See:
Microsoft identity platform and the OAuth 2.0 client credentials flow
If for whatever reason you want to stick to non-interactive user login, you can use the Resource Owner Password Credentials flow. But be aware that:
Microsoft recommends you do not use the ROPC flow. In most scenarios,
more secure alternatives are available and recommended. This flow
requires a very high degree of trust in the application, and carries
risks which are not present in other flows. You should only use this
flow when other more secure flows can't be used.
Related
We would like to use Azure client credentials flow to do authentication for our service accounts. The thing is our service accounts are just regular users in Azure AD. They are not registered apps. The way our company sets up Azure makes it very heavy to register apps, so we would like to avoid it. So the question is, can we use client credentials flow for regular users in Azure? We need this as in our CI/CD we cannot popup a browser and let users do device-based authentication. We need the user to be able to authenticate in an automated way.
You can't use client credentials flow where an Azure AD user is involved in the authentication flow.
Micrsofot Documentation - client credentials flow
This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user.
But you can use one of the following supported authentication flow where a user is involved;
Micrsofot Documentation - authorization code flow
Micrsofot Documentation - implicit grant flow
Micrsofot Documentation - device authorization grant flow
Device authorization grant flow might work in your case?
When using ROPC flow with AAD does the invited user share the same credentials (username, password) which he must be using on other AAD tenant\MS account.
I see that ROPC is not a recommended flow as our client should not handle the credentials. But just wanted to know what we are compromising other then training user for Phishing sites and loosing some important features like MFA etc.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
e. g if I have my account in Parent Azure directory (A) and I am invited guest\member in Azure directory (B). Then for the Enterprise SPA App (whichever directory it belongs to) user using ROPC flow will use the same username, password for login into the app. This would compromise both the Azure account if the credentials are hacked. So is there a way when we invite user they should not be associated with existing Azure directory (i.e A or B).
So is there a way when we invite user they should not be associated
with existing Azure directory (i.e A or B)?
In short, NO.
When you choose ROPC flow, it means you need to take the risks. Whether you use ROPC flow in your own tenant or in another tenant, your credentials are at risk of leakage.
Therefore, if you are worried about this, choosing an alternative authentication flow is your first choice.
I assume that you simply do not want to log in interactively, then you can consider client credential flow, which can easily access the data in both Tenant A and B.
One major concern is already that you have mentioned. The Client is handling the credentials. There will be high trust that needs to be put on the client.
In addition to the above mentioned, the below points might be in consideration for you that I could think of :
On using the ROPC grant type, there is no way to distinguish if the resource owner (the user) is really making that request or the client is making the request.
Federated identity is also unavailable to this grant type
Not applicable for the Live Accounts (#outlook.com,#hotmail.com etc)
SSO is also not feasible.
If you are hashing and storing the password locally, if there is a password expiry - then this will fail.
I ideally want to be able to have an admin grant application permissions for my app and login to said app in the same flow. Is this possible?
I currently use the code grant flow for authentication.
I then use the client credentials flow for authorisation.
Is it possible to combine the two into a single flow?
I have the first redirected immediately to the second if the client token has not be granted before, but it isn't the most appealing flow from a UX perspective.
If I could add an ID token to the the client grant response that'd be perfect (I just need the UPN of the admin that is consenting), but this doesn't seem to be possible.
A key requirement is the application permissions as my app makes changes to the entire org - obtaining the grantee's ID in the same flow is just a UX optimisation.
Perhaps this is possible with the OpenID Connect flow?
Is it possible to combine the two into a single flow?
No, these are two different authentication flow.
For the authorization code flow, It's used to perform authentication and authorization in the majority of app types, including single page apps, web apps, and natively installed apps. The flow enables apps to securely acquire access_tokens that can be used to access resources secured by the Microsoft identity platform endpoint, as well as refresh tokens to get additional access_tokens, and ID tokens for the signed in user. This flow is usually used in scenarios with user interaction.
For client credential flow, it is that the administrator directly grants permissions to the application itself. When an application provides a token to a resource, the resource will force the application itself to have the permission to perform operations. This type of grant is usually used for server-to-server interactions that must run in the background and do not require immediate interaction with the user. This is generally used in daemons, which can only obtain access_token for accessing resources.
Perhaps this is possible with the OpenID Connect flow?
This is where a user is logged in. Generally, delegated permissions are used, so it is impossible.
So, in summary, you cannot obtain ID tokens when using the client credential flow because there is no user interaction in the flow.
I need to write a backend app to read & write one company emailbox.
I have registered Active Directory Application and granted Delegated permissions (read and write to user mailbox).
Question is how to get the token needed for authenticate the graph api calls(for example ListMessages).
From the document I coundn't find any working example for backend app aquiring token and make api calls.
There are two endpoint versions:
Azure AD and Azure AD v2.0 endpoints;
And two authentication method:
1. Get access on behalf of a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user
2. Get access without a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
What shoud I use ? Really confused.
Thanks all.
According to your description, I assume you want to get an access token without user login page.
Based on my test, we can get an access token that run as a background services or daemons.
It requires administrator to grant the access permission once, then user will not see login popup window anymore.
For more detail, we can refer to this official document.
Sounds like you are looking for Resource Owner Password Credentials grant flow.
However its usage is not recommended.
It does not work in these scenarios:
User has MFA
User password has expired
User is federated (MS account/Google/on-prem AD)
The only scenario that I can think of where this flow is okay is integration tests of APIs where you need to test scenarios where you call your API on behalf of a user.
Here is a better way to do what you want:
Require an application permission to access user emails and have the admin grant it. Now you can use client credentials grant flow to get a token anytime you need one.
Use delegated permissions, have the user sign in once with Authorization Code grant flow. Then exchange the code for an access token and a refresh token. Store at least the refresh token somewhere secure. Use refresh token whenever you need a new token.
The first approach is more reliable but requires broader permissions.
The second has tighter security (only users who have authorized access can have their email read), but has slightly less reliability.
Refresh tokens can be invalidated, in which case you'll need the user to login again.
I am using Azure v2.0 for user authentication. The access token that I receive is used to fetch onenote content using microsoft graph api. And I do store refresh token at my end to access content on behalf of user at any time. Now user opt's out of my system I want to revoke the permissions given by user to my app.
How I can revoke the access without depending on user for that. User may not manually go and revoke the permissions. Is there any api provided for same purpose.
Is there any api provided by Azurev2.0 for the same
Sorry for the delayed response here. Unfortunately we don't have a specific revocation API. And while this is theoretically possible through existing APIs, where the oauth2Permission resource type holds the consent grant (see https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/oauth2permissiongrant_delete), your app will need to be granted a privileged permission to perform this action. Contrary to the linked topic, I don't believe that the Directory.ReadWrite.All application permissions actually allows this operation.
Please create a UserVoice request to ask for this API.
Hope this helps,